Overview:

Cyber security researchers have discovered a new and sophisticated cyber attack campaign that’s predicated on social engineering and remote access tool use. The attack has affected organizations in North America (54%) and Europe (46%).

Attacker motives center around extracting sensitive information from systems. Cyber attackers may wish to sell or utilize this information for personal gain. 

How the Attack Works:

To obtain an initial foothold in systems, cyber criminals exploit Microsoft Teams and impersonate one of an employee’s contacts.

Remote access software, like Quick Assist, helps cyber criminals efficiently escalate privileges. Legitimate system update tools are then exploited to sideload malicious DLLs, providing cyber criminals with network access.

BackConnect malware is then deployed, allowing cyber criminals to retain control over compromised systems. Malicious files are hosted and distributed via commercial cloud storage services, exploiting misconfigured or publicly accessible storage repositories.

Historical Analysis:

Researchers have tied the BackConnect malware to a loader malware that was targeted in a major takedown operation in 2023. This loader helped provide ransomware actors with access to intended systems. After the takedown, the cyber criminals were forced to find other means of continuing their schemes.

Defense and Mitigation Strategies:

To counter evolving threats like this one, organizations are advised to:

1. Upgrade authentication measures. From multi-factor authentication to other user verification protocols, organizations need to ensure that they are taking all relevant actions to protect people, systems and the business at-large.

2. Limit the use of remote access tools. Consider implementing just-in-time access, where remote access tools provide temporary, time-limited access under specific circumstances. Establish a formal approval process for remote access use. Maintain a whitelist of approved tools. Block unauthorized tools through application control policies.

3. Regularly audit cloud storage configurations. Because they’re one of the most common causes of data breaches, ensure that your organization has implemented least-privilege access and that you revoke excessive permissions immediately.

4. Monitor network traffic. Consider integrating network monitoring with endpoint detection systems, as to correlate suspicious network activities with unusual endpoint behaviors. This provides context for potential threats and can assist in catching them early.

5. Conduct phishing simulations. To train employees on potential threats, leverage tools that offer simulation capabilities. Consider testing out impersonation scenarios.

Harmony Email & Collaboration: Addressing Challenges

As email and workspace threats become unnervingly sophisticated, organizations need tools like Harmony Email & Collaboration to comprehensively protect all communication channels.

Harmony Email & Collaboration offers advanced protection for the precise attack vectors highlighted in this report.

Its advanced threat prevention capabilities can identify and block social engineering attempts before they reach end users, while also detecting suspicious collaboration tool events that could point to an attack in-progress. AI-powered engines further support operations, ensuring rigorous, robust and real-time threat prevention.

To schedule a demo, click here or please reach out to your local Check Point representative.